QSC 2021 VMDR Overview 


VMDR Training Documents 


= QSC 2021 VMDR Overview Lab Supplement 
= QSC 2021 VMDR Overview Slides 


You can download both documents, just below the presentation you are 
viewing (at the bottom of the page). 
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Play Lab Tutorials 


Click to 
open Lab 
Tutorial. 


Navigate to the following URL to view the “Configure Agents for VMDR” tutoria 


http://ior.ad/7bze 
PLAY J http://ior.ad/7bZE 


Maximize 


Screen 


© Tyit A CI 


® 


15 steps /3 mins 


Configure Agents for 
VMDR 


Click Start 
Button 


Nov 2020 by Qualys 
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Qualys VMDR Lifecycle 


© Qualys. 


VMDR Agenda 


1. Asset Management 
i Qualys Sensor Overview 
e CyberSecurity Asset Management (CSAM) 
2. Vulnerability Management (VM) 
° Vulnerability Findings 
° Dashboards & Widgets 
3. Threat Detection & Prioritization (TP) 
. Threat Intelligence Feed 
e VMDR Prioritization Report 
4. Response — Patch Management (PM) 
. Deployment Jobs 
e Patch Catalog 


© Qualys. 


Asset Management 


Qualys, Inc. Corporate Presentation 


CIS Control 1: Inventory and Control @ CIS Controls 
of Enterprise Assets 


Overview 


Actively manage (inventory, track, and correct) all enterprise assets (end-user devices, including portable and mobile; network 
devices; non-computing/Internet of Things (loT) devices; and servers) connected to the infrastructure physically, virtually, 
remotely, and those within cloud environments, to accurately know the totality of assets that need to be monitored and 


protected within the enterprise. This will also support identifying unauthorized and unmanaged assets to remove or 
remediate. 


Inventory and 
Control of 


Enterprise Assets 
5 Safeguards GE 2/5 )@G@2 4/5 AG 5/5 


https://www.cisecurity.org/controls/inventory-and-control-of-enterprise-assets/ 
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Qualys Sensor Platform 


Remote Scanners 
(Internet facing) 


. 


Cloud Agents OD . /__\ Local Scanners 


(servers, endpoints, ° 
mobile devices) ar ° nei 
e e e 
e e 
© e 
Cloud gl: ae ae Be, TO Passive 
Connectors Scanners 
e © 
e e 
e e e 
. (] . 
SaaS 3 Out-of-Band 
Connectors al: 2 as Sensors 


© 


Container Sensors 


x APIs (collect data from 3rd parties) 
© Qualys. 


Configure Agents for VMDR 


Welcome to Qualys VMDR® 


Identify Assets Discover Vulnerabilities & 
à Misconfigurations 
Continuously discover your ÎT assets that are on-prem, 
cloud, mobile, container, applications providing 100% real- Detect vulnerabilities with six-sigma accuracy and use CIS 


time visibility Benchmarks to uncover misconfigurations 


Configure agent 
“Activation Keys” for 


Discover, track a 


leveraging norma 


Configure Agents for VMDR & Manage Tags 


Supported OS He A © é © 


The patching and response 
functions in VMDR require 
Cloud Agent. 


Some Agent Activation Keys 
may need to be updated to 
include the VMDR application 
modules (i.e., VM, CSAM, 
SCA, and PM). 
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Lab 1: Configure Agents for VMDR 


Please consult pages 3 to 13 in the lab tutorial 


supplement for details. 


| | 10 mins 
PLAY 7 Tutorial begins on page 4. 
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Upgrade Agent Activation Keys 


Upgrade Agents with Activation Keys 


VMDR requires the activation of a purpose-built engine for detecting missing patches for Cloud Agents. Select 
Activation keys which you want to upgrade for VMDR. Allthe agents associated with those keys will be upgraded. 


E Manage Cloud Agent Keys 1-20f 2 


=> oN MODULES AGENTS TAGS 
tt Unlimited Key 
Default VMDR Activation Key 
SCA | VM CSAM 
28f4b0cd-f622-42e0-a809-c12474161c3f EJ E LPM | ET 


Minimum Module Activation Key = Unlimited Key VMDR Lab 
549c7a3f-fc20-44bf-8c54-e74f234b95d8 


Upgrade Agent Activation Keys to include VMDR application modules (i.e., 
VM, SCA, PM, CSAM). 


Activation Key Tagging Strategy 


« BEST PRACTICE: 
Assign “static” tags 
to agent Activation 
Keys and use them 
to ensure agent 
hosts receive their 
appropriate 
performance 
settings, patching 
licenses, and patch 
job assignments. 


Configuration 


Profiles 


License Consumption 


Patch Management 


Type: TRIAL 
Expiring in: 191 days on Jui 


License Details 


Licenses Purchased 


10 


Select assets for patch manage 
Select asset tags to include or A: 


based on the number of mat#hi s| 
Include Assets Tags 
| vor Lab x | Remote x 


Add Exclusion Asset Tags 


| Reset | | Save | 


Licenses 


New Activation Key 


Turn help tips: On | Off x 


Create a new activation key 


An activation key is used to install agents. This provides a way to group agents and better manage your 
account. By default this key is unlimited - it allows you to add any number of agents at any time. 


Title Remote Host Activation Key 


3 D: Remote 


Brvision Key for these applications 


Select | Create 


CyberSecurity Asset Management 
Activations managed by CSAM 


Patch Management 
115 Activations Remaining 


Policy Compliance 
m 15 Activations Remaining 


Vulnerability Management 
15 Activations Remaining 


Secure Config Assessment 
15 Activations Remaining 


Unlimited Key | Generate | 
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CyberSecurity Asset Management 


Qualys, Inc. Corporate Presentation 


Two Asset Management Applications 


e Global AssetView (GAV) 
Provides foundational inventory gathering capabilities for all assets 
in your IT environment, from on-premise servers and PCs, to Cloud 
instances, containers, Enterprise loT and OT environments. 


e CyberSecurity Asset Management (CSAM) 
Delivers additional capabilities on top of GAV to provide users with 
cybersecurity related content, such as product lifecycle information, 
ability to define authorized and unauthorized software and 
integration with ServiceNow CMDB among others. 


© Qualys. 


CSAM or GAV 


KEY FEATURES Er A 


Get complete visibility into your environment 
Discover and inventory all your assets 


View categorized and normalized hardware and software information J 
Standardize your inventory 

Define criticality and find related assets JS 
Add business context through dynamic tagging 

Find and upgrade unsupported software and hardware 

Know product lifecycle and support information 


Quickly identify non-compliant assets 


Be informed about assets requiring attention 
Receive notifications to review and define actions 


e Inform stakeholders about health of your assets 
Create custom reports 


© Easily keep your CMDB up to date m 
Enable 2-way integration to sync with ServiceNow CMDB 


Eliminate unauthorized software from your environment Va 


Comprehensive Asset & Software Inventory 


CSAM Catalog: Categorize, Normalize and Enrich 


Physical Scanner Cloud Agent 


OS/HW/SW i 
Virtual Scanner Passive Sensor Lifecycle Stage 


Support Stage License type 


Cloud Connector API 
Manufacturer Category 


Container Sensor Out-of-Band 


e Qualys CyberSecurity Asset Management (CSAM) aggregates data from all sensors. 
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Qualys Categorization, Normalization & Enrichment 


Operating Systems Hardware Software 


Base OS Runtime AIX: mysql-community-server 
06.01.0009.0300 EE Pee es 5.6.35-2.e17.x86_64 


Computers > Server Databases > RDBMS 


Normalization & 
categorization 


META 


Advanced asset 
information 


Category UNIX > Server 


Manufacturer IBM Dell Sun Microsystems 


MySQL Server 


M 
EE | woe | 


Version 6.1 


Update TL9 SP3 = 


Architecture 64-Bit 


Lifecycle Stage EOL/EOS 

End-of-Life 30-Apr-2015 1-Sep-2012 28-Feb-2018 
End-of-Support 30-Apr-2017 1-Sep-2012 28-Feb-2021 
Support Stage Unsupported Obsolete Extended Support 


: : | Open Source 
License Type Commercial (GPL-2.0) 


Search Hardware Categories 


hardware.category1: valuel 
hardware.category2: value2 
hardware.category: value1 / value2 


hardware.category: 'Networking Device/Switch’ 


10.46.105.2 
10.46.105.2 


: Cisco Systems NX-OS 


10.46.105.1 è$ Cisco Systems NX-OS 
10.46.105.1 


10.46.105.3 
10.46.105.3 


x Cisco Systems NX-OS 


Cisco Systems 
Nexus Switch 
Switch 


Cisco Systems 
Nexus Switch 
Switch 


Cisco Systems 
Nexus Switch 
Switch 


hardware.category1: Networking Device’ 
hardware.category2: Switch’ 
hardware.category: Networking Device / Switch’ 


hardware.category1: 'Networking Device’ 
hardware.category2: 'Switch’ 


Hardware Category List 


CyberSecurity Asset Management ~ HOME DASHBOARD INVENTORY 


Managed v Software 


VMware 


Unidentified Virtualized / Virtual Machine 589 


Microsoft Unidentified / Unidentified 23 8 
TAGS Computers / Unidentified 23 8 
Internet Facing A... ne 
omputers / Server 
Initech 155 
AWS Ohio Networking Device / Unidentified 46 
Windows 
AG: San Jose Virtualized / Cloud Instance 36 


11 more Y 
Network Security Device / Firewall Device 2 4 


Networking Device / Switch 1 6 


Unknown 1 4 


e From the “Assets” tab, group assets by Hardware Category. 
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Hardware Lifecycle Stage 


Search Token: hardware.lifecycle.stage:value 


= General Availability (GA) - Hardware 

Hardware is in production, available css 

for purchase, and supported Networking Device / Switch 

Model 
= End of Sale (EOS)- No longer Cisco Systems Catalyst 3850 Series 3850-24P 
. Lifecycle Information 

being sold or by vendor mono 

= Obsolete (OBS) - End-of-Service; Nov 25 2012 renee 
e e 


no longer serviced via upgrades, 
patches, or maintenance 


=" Intro (INTRO)- hardware 
introduction date of interest 


Generally Available End-of-Sale 


Not Announced 
e 


End-of-Service 
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Search OS Categories 


operatingSystem.category1: value1 
operatingSystem.category2: value2 
operatingSystem.category: value1 / value2 


operatingSystem.category1: 'Windows’ 
operatingSystem.category2: 'Server’ 


operatingSystem.category1: ‘Windows’ 
operatingSystem.category2: Server 
operatingSystem.category: ‘Windows / Server‘ 


operatingSystem. category: 'Windows/Server' 


EC2AMAZ-H3CN8NE 
54.203.137.60,172.16.1.114 
0A:87:39:10:32:0A 


WIN2019SRV1ESXI 


10.0.1.165,2600:8800:3780:1a:8dcb:1... 


00:0C:29:75:7C:B6 


WIN2008SRV2ESXI 


fe80:0:0:0:203c:d6fc:e713:7e36,fd00:8... 


00:0C:29:66:A6:25 


B= Microsoft Windows Se. - 


Datacenter 
1809 64-Bit 


Microsoft Windows Se... 


Datacenter Evaluation 
1809 64-Bit 


Microsoft Windows Se... 


Enterprise 
6.1 SP1 64-Bit 


Virtual Machine 


VMware 
VMware Virtual Platfo... 
Virtual Machine 


VMware 
VMware Virtual Platfo... 
Virtual Machine 


OS Category List 


CyberSecurity Asset Management ~ 


METRE Te [Ste 


MANUFACTURER 


Amazon Web Ser... 


VMware 
Unidentified 
Microsoft 


TAGS 


Internet Facing A... 


Initech 

AWS Ohio 
Windows 
AG: San Jose 


11 more Y 


HOME DASHBOARD INVENTORY 


M Software 


Group Assets by: OS Category © v 1-18 of 18 
CATEGORY 


Linux / Unidentified 

Windows / Server 

Windows / Client 

Unidentified / Unidentified 

Linux / Server 

Network Operating System / Unidentified 
Windows / Unidentified 

Virtualization / Hypervisor Type-1 (Bare Metal) 


Mac / Client 


e From the “Assets” tab, group assets by OS Category. 
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Search Software Categories 


software:(category1: value1) software:(category1: Security’) 
software:(category2: value2) software:(category2: Endpoint Protection ) 
software:(category: value1 / value2) software:(category: Security / Endpoint Protection’) 


software: (category1: 'Security’) 


Microsoft Windows Defender Security Commercial 
4.18.1807.18075 Endpoint Protection Free 


Privax HMA! Pro VPN Security Commercial 
4.6.151 Endpoint Protection Licensed 


OpenVPN Security Open Source 
3.1.3 Endpoint Protection GNU General Public 


Software Category List 


METRE Te [Ste 


64-Bit 
32-Bit 


CyberSecurity Asset Management ~ 


>< Assets 
EXEUCS Software 


Group Software by... Y 


LICENSE 


Open Source 
Commercial 


PLATFORM 


Se: -o 


HOME DASHBOARD INVENTORY 


| Group Software by: Category © v| | Type: Application v | 1-50 of 88 >| 


CATEGORY 


Network Application / Internet Browser 


Application Development / Framework 


Application Development / Development Tool 


Networking / Access Software 


Application Development / Programming Languages 


Security / Endpoint Protection 


Network Application / Web Servers 


Databases / RDBMS 


Security / Endpoint Management and Security 


From the “Software” tab, group software by Category. 


OS & Software Lifecycle Stages 


Search Tokens: 
operatingSystem.lifecycle.stage: value 


software: (lifecycle.stage:value) 


Generally Available (GA) - 
When the product became 
available for purchase. 
End-of-Life (EOL) - No longer 
marketing, selling, building 
new features, or promoting 
product (Security patches 
may still be provided). 
End-of-Service (EOS) - No 
longer serviced via upgrades, 
patches, or maintenance. 


Operating System 


Name 
Cisco Systems Cisco IOS XE Fuji (16.9.4) 


Installed Date 


Lifecycle Information 
Generally Available (Not Announced) 


Not Announced 
è 
Generally Available End-of-Life 


Not Announced 
e 


End-of-Service 
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Lab 2 : Search Using Categories 


Please consult pages 14 to 15 in the lab tutorial 


supplement for details. 


PLAY 7 Tutorial begins on page 15. 5 mins 
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Software License Category 


Commercial — Supported by vendor. 


software: (license. category: ‘Commercial * ) 


Open Source - Free for public use. 


software: (license.category: ‘Open Source‘) 


© Qualys. 


Dynamic Rule-Based Tags 


Tag Type 


Static @ Dynamic = 


Tag Rules 


Rule * 


Asset Inventory 
Asset Name Contains 
Asset Inventory 


IP Address In Range(s) 


IP Address In Range(s) + Network(s) 


Open Ports 
Cloud Asset Search 


Vuln(QID) Exist 


The “Asset Inventory” rule 
engine allows you to build tags 
using query tokens, including 
the Hardware, OS, and 
Software category tokens. 


Other “dynamic” rule engines 
are also available. 


© Qualys. 


Lab 3 : Dynamic Rule-Based Tags 


Please consult pages 16 to 17 in the lab tutorial 


supplement for details. 


Tutorial begi 16. i 
PLAY 7 utorial begins on page 16 5 mins 
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Unidentified vs. Unknown 


Some OS and Hardware assets may appear as “unidentified” or “unknown.” 


Unidentified 


e Not enough data has been discovered/collected for Qualys to 
determine the asset's hardware or operating system. 


Unknown 


e Adequate data exists for Qualys to categorize the asset, but it has 
yet to be cataloged. 


© Qualys. 


Network Passive Sensor 


Passive Sensor Overview 


| 


Sniffs traffic via network TAP or the SPAN port of a network switch. 


Captured data and traffic is sent to the Qualys Platform for analysis 
and processing. 


1. Discovered assets not in your account, are placed in the 
“Unmanaged” section of Qualys CSAM. 


Enable “Traffic Analysis” to reveal communication between assets, 
including conversations between managed and unmanaged assets. 


© Qualys. 


Managed vs. Unmanaged Assets 


If discovered data is confirmed ® Qualys. Cloud Platform 
to match an asset already in 
your account, its information 


will be merged with the existing assets EP 
asset. 8 
Unmanaged 
. Discovered assets not in your Q 


account, are placed in the 
“Unmanaged” section of Qualys 1 54 TOP HARDWARE CATEGORIES 


CSAM = Total Assets m] 


Virtualized 


CyberSecurity Asset Management v 


Unmanaged Assets 


= pri -. GS324TP S350 Series 24-... 


Confidence level: HIG 


bc:a5:11:b8:e5:94 
ee» 


Ubuntu19esxi Debian Project Debian Unidentified 
10.0.1.253 
00:0c:29:82:ab:7a TA Es 


Passive Sensor 
First: Sep 02 2020 
Last: Sep 02 2020 


Passive Sensor 
First: Mar 26 2020 
Last: Sep 02 2020 


jue Sensor 


e It is common to find unidentified or unknown values within the "Unmanaged" assets 


section of the CyberSecurity Asset Management application. 


e Confidence levels are provided (LOW, MEDIUM, HIGH) for OS and hardware findings. 


© Qualys. 


Network Traffic Analyzer 


Conversations between assets can offer new discoveries and insights. 


Network Traffic Analyzer 


Q Search for assets... Last 24 Hours v 


1 8 TRAFFIC FAMILY TRAFFIC VOLUME 


@ WebServices 161KB M Terminal Emu... 14 KB 
Œ Vimeo 8KB M IBM Systems ...5KB if A 
@ Networking 308B ™ Other 460B Aug27,0430pm Aug.27, 04:45 pm 


Total Clients Q 


ASSET TYPE (CLIENT) E << | 1-27 of 27 
INTERNAL 


UNMANAGED 
MANAGED 


DEVICE CATEGORY (CLIENT) 


Unidentified 
Computers 


192.168.128.... Mobile 196B From: Aug 27, 2020 05:43 pm EXTERNAL Unknown 
UNMANAGED Unknown 1 Pkts. To: Aug 27, 2020 05:43 pm 


Unknown WIN-CEI_TES... Unknown 642B From: Aug 27, 2020 04:30 pm EXTERNAL Unknown 
Computers / Des.. 192.168.5.231 4Pkts To: Aug 27, 2020 04:43 pm 
Virtualized MANAGED 


OPERATING SYSTEM (CLIENT) WIN-CEI_TES... Unknown 9KB 11 KB From: Aug 27, 2020 04:24 pm 192.168.5.70 Unknown 


2 k 7 : 2 
Windows 3 192.168.5.231 63 Pkts 37 Pkts To: Aug 27, 2020 04:52 pm INTERNAL 


© Qualys. 


Network Passive Sensor User Guides 


© Qualys. Community Discussions Blog Training Docs Support 
Q Search documentation qualys.com/documentation 
Sensors 


Cloud Agents 


Scanner Appliance 


Network Passive Sensor 


Online Help v Stay up-to-date with the latest 
ce sensor features and specifications. 


Physical Appliance User Guide 


Virtual Appliance User Guide 
Deployment Guide 
Release Notes 


Training 


© Qualys. 


CMDB Sync 


fe) Qualys. 


Certified ServiceNow CMDB Sync App 


B ® 


e Supports 2-way sync (Qualys to ServiceNow and ServiceNow to Qualys) 
e Up-to-date, categorized, normalized, and enriched ServiceNow CMDB 
e Enrich Qualys assets with key CMDB business data 

e Synchronization schedules can be configured and saved. 


e Asset metadata is only synchronized for assets that already exist in both Qualys 
and ServiceNow. 


e Optionally, asset information is staged for user approval before being written to 
CMDB. 


© Qualys. 


Import Business Attributes from ServiceNow CMDB 


< Resource Details: 961701629973009803 


Y CLOUD METADATA 


Business Information Business Application Details 


Summary 


Network Interfaces 


Banking Service 
Associations Status Department = . vn 
Repair IT Operations Installed | Business Criticality: 1 - Most Critical 


Labels 


Controls Evaluated Managed By Supported By 
Byron Fortuna John Doe OVERVIEW ASSOCIATED ASSETS 


v INVENTORY 


Asset Summary 


Business Applications 


System Information 
8 ASSET SYSTEM INFO 
BEtworklistormetion BUSINESS APP NAME BUSINESS CRITICALITY OPERATIONAL STATUS] 


Open Ports [Banking Service] Nabe Gites ta HQWIN8R2RD27 Microsoft Windows Server 2008 R... 


Installed Software 10.46.105.42,169.254.162.50,fe80... VMware VMware Virtual Platform ... 


Traffic Summary 


WIN12PMIOC3 Microsoft Windows Server 2012 R... 
10.0.1.6,169.254.5.79,192.168.13.... Google Compute Engine 


Y SECURITY 10.115.75.59 The CentOS Project CentOS 7 (1511) 
Vulnerabilities 10.115.75.59 VMware VMware Virtual Platform ... 


Close 


1-40f4 


SUPPORTED BY 


John Doe 
IT Operations 


John Doe 
IT Operations 


John Doe 
IT Operations 


Automatically import business application and business context attributes from ServiceNow 


CMDB 
Identify other assets associated with a business application 


© Qualys. 


Use Business Attributes to Search for Assets 


businessApp:(businessCriticality 


businessApp:(environment e Use any of the “businessApp” 
businessApp:(id search tokens to single out assets, 
based on the business information 
and characteristics provided by 
businessApp:(name ServiceNow. 


businessApp:(managedBy 


a ale e Queries using these tokens will 


businessApp:(ownedBy impact assets already 
businessApp:(supportGroup synchronized. 


businessApp:(supportedBy 


© Qualys. 


Lab 4 : CMDB Sync and Business Context 


Please consult pages 18 to 19 in the lab tutorial 


supplement for details. 


5 mins 


PLAY J Tutorial begins on page 18. 
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Integration with ServiceNow CMDB 


To implement ServiceNow CMDB Integration, a Qualys subscription with API 
access is required, along with the following application modules: 


e CSAM 
e Vulnerability Management 


1. Qualys CMDB Sync App 
e — Install the Qualys CMDB Sync App (available in ServiceNow Online Store) 


2. Qualys CMDB Sync Service Graph Connector App 
e Install the Qualys Service Graph Connector App (available in Service Now Online Store) 
e ITOM Visibility license in ServiceNow 
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CMDB Sync App User Guides 


© Qualys. Community Discussions Blog Training Docs Support 
Q, search documentation qualys.com/documentation 
Cloud Apps 


IT Asset Management 


Global AssetView 

CyberSecurity Asset Management 
AssetView 

CMDB Sync 


Qualys CMDB Sync Service Graph Connector App 
Qualys CMDB Sync App 


Certificate Inventory 


Public APIs for CMDB Sync 


e CSAM now supports import of Asset business metadata and 
Business app metadata from your CMDB into your Qualys asset 
inventory (using v2 APIs). 


e Imported business attributes are listed in the Asset Details page. 


e User must have access to the CSAM module with API enabled for 
that role. 


e Currently supports maximum 250 records for import in one API call 
for both Asset and Business app metadata. 


© Qualys. 


Authorized & Unauthorized Software 


fe) Qualys. 


CIS Control 2: Inventory and Control @ CIS Controls 
of Software Assets 


Overview 


Actively manage (inventory, track, and correct) all software (operating systems and applications) on the network so that only 


authorized software is installed and can execute, and that unauthorized and unmanaged software is found and prevented 
from installation or execution. 


Inventory and 
Control of 


Software Assets 


7 Safeguards Gl 3/7 »\@G2. 6/7 463 7/7 


https://www.cisecurity.org/controls/inventory-and-control-of-software-assets/ 
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Software Rule Types 


Select Software 


Select the software to be included in the rule 


Add Authorized Software 


’ Select applications, releases, publishers or categories that are explicitly authorized in this environment. © 


Add Unauthorized Software B 


Select applications, releases, publishers or categories that are explicitly unauthorized in this environment. (+) 


Needs Review © 


Select applications, releases, publishers or categories that needs to be reviewed before marking as Authorized or © 
Unauthorized. 


= Create rules for authorized/unauthorized software and software that needs to be 
reviewed. 
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Lab 5: Software Authorization 


Please consult pages 20 - 21 in the lab tutorial 


supplement for details. 


Er? Tutorial begins on page 20. 5 mins 


© Qualys. 


Create Software Rules 


© Qualys. Cloud Platform 


CyberSecurity Asset Management ~ HOME DASHBOARD INVENTORY TAGS RULES RESPONSES 


Software Rules 
Assets Software 


| Reorder | Create Rule RELEASE CATEGORY 


Google Chrome Network Application 
93.0.4577.82 Stable Channel Internet Browser 


Qualys "= > & Security 
Quick Actions v 


4.4.1.7 Endpoint Management and Security 


ORDER NUMBER RULE 


1 EOS Linux Agents 


Review all Linux agents less tha! 


EOS Windows Agents 
Review Windows agent versions 


Microsof view Authorization Rule Network Application 

94.0.992.3 Internet Browser 
Add To Authorization Rule 

Apache 1 Network Application 

9.0.52 Web Servers 


Unauthorized Software 
Flag Wireshark as unauthorized 4 


Microsoft Internet Information ... 
10.0 


Network Application 
Web Servers 


Qualys Cloud Agent Security 
4.6.0.56 Endpoint Management and Security 


View, create and modify rules from the RULES section or the “Software” tab under the 
INVENTORY section. 


Se sachets © Qualys. 


Rule Precedence 


Software Rules 


ORDER NUMBER RULE 
1 EOS Linux Agents 
Review all Linux agents less than version 2.6. 


EOS Windows Agents 
Review Windows agent versions less than 3.0. 


Unauthorized Software 
Flag Wireshark as unauthorized and Qualys Cloud Ag... 


e Rules at the top of the list have precedence over the rules below. 
e Click the “Reorder” button to move rules higher or lower. 


© Qualys. 


Software Authorization Tokens 


e AUTHORIZED 


software: (authorization: ‘Authorized* ) 


e UNAUTHORIZED 


software: (authorization: ‘Unauthorized* ) 


e NEEDS REVIEW 


software: (authorization: ‘Needs Review‘) 


e After creating software authorization rules, software authorization tokens 
can be used to search and query. 
@ Qualys. 


Vulnerability Management 


VM Sensors 


Qualys Cloud Platform 


] 


Qualys. 


Vulnerability Findings 


"= Industry-leading vulnerability KnowledgeBase with tens-of- 
thousands of vulnerability signatures. 


Level Level 
= Each vulnerability is ranked 


and associated with: 


Minima Minima 


Medium Medium 


e Qualys Severity Level 
e CVSS Score 

e CVE & Bugtraq IDs 

e Available Patches 

e Known Threats 

e Associated Malware Urgent 
e and more... 


7 Serious 
Serious 


Critical 


Critical 


Urgent 


= An unlimited number of ways to identify, prioritize, and patch vulnerabilities. 


© Qualys. 


Lab 6 : Vulnerability Findings 


Please consult pages 22 to 24 in the lab tutorial 


supplement for details. 


PLAY 7 Tutorial begins on page 23. 5 mins 


© Qualys. 


Vulnerability Findings In CSAM 


< Asset Details: ws2016dfw242 


v INVENTORY 


Vulnerabilities 
Asset Summary S 


System Information 


€ vulnerabilities.severity:[5] and vulnerabilities. typeDetected: [Confirmed] 


9 Vulnerabiliti 
Network Information ulnerabilities 


Open Ports —e —— 
j » | P Filters v 1-90f 9 
Installed Software a 


Traffic Summary m 


| Microsoft Windows Security Update for December 2019 5 
Y SECURITY — 
VMDR Prioritization _ 


100400 Add to New Job 


Patch Management Add to Existing Job 


z . issino P 
Certificates ' View Missing Patches 


Build Patch Jobs from 


Global IT Asset Inventory. 


e View and patch vulnerability findings from within CyberSecurity Asset 
Management (on a per asset basis). 


© Qualys. 


Vulnerability Findings in VMDR 


rar ee Which ones are patchable? 


VMDR TRIAL DASHBOARD VULNERABILITIES PRIORITIZATION SCANS REPORTS 
[— 


1. Detected vulnerabilities must 
be associated with one or more 


en | mra varaa oee | | patches found in the Qualys 


66 Asset tags.name: "Cloud Agent’ and activatedForModules :PM Patch Catalog 


Total Detections 
v Actions (50) v Asset Vulnerability Groupby... v P Filters v 2 
. 


| Detection Host must be running 
5 1s =ý the Qualys Cloud Agent 


Vulnerabilities 


3 8 7 372508 Oracle Java SE Critical Patch Update - April 2020 
2 2 Active 
en _ 374827 Mozilla Firefox Multiple Vulnerabilities (MFSA2021-01) 3. Cloud Agent must have the PM 
Active 
Local 41 . 
pdows 19 74576 Mozilla Firefox iple Vulnerabilities (MFSA2020-54 mod u le a ctivated 


e 


© Qualys. 


Dashboards & Widgets 


fe) Qualys. 


Out-of-Box Dashboard Templates 


® Qualys. Cloud Platform 


<— Dashboard Templates 


Add or Customize Dashboard templates 


Q Search for Dashboard Templates Build from Scratch 


CSAM (4) Policy Compliance (1) Unified Dashboard (35) VMDR (16) Web Application Firewall (1) File Integrity Monitoring (6) EDR (5) 


RansomWare (RW) Attack Ve... : Policy Compliance : RansomWare (RW) Exposure : Patch Efficiency - VULNs Sev... : Baron Samedit|Heap-based b... 


© Quoiys un mover - hs 


Ransomware Attack Vectors Dashboard provides This dashboard provides Policy Compliance This Dashboard will enable any organization to Patch Efficiency for vulnerabilities of Severity 3-5 Qualys research team discovered heap overflow 
high visibility into your Software and EOL/EOS... widget details. have visibility into your RansomWare Exposure... This dashboard shows Patch Efficiency. It shoul... vulnerability in sudo. Any unprivileged user can... 


Created By: Qualys Created By: Qualys Created By: Qualys Created By: Qualys Created By: Qualys 


Use template Use template Use template Use template Use template 


Qualys, Inc. Corporate Presentation © Qualys. 


Widget Types 


1K FH ‚hl G 


Table Column 


e Dashboard widgets can be designed to display query results as counts, tables, 
columns, or pie charts, 


© Qualys. 


Lab 7 : Dashboards & Widgets 


Please consult pages 25 to 28 in the lab tutorial 


supplement for details. 


5 mins 
PLAY 7 Tutorial begins on page 25. 
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Count Widget 


PERCENTAGE OF HIGH SEVERITY VULNERABILITIES 
Name * 


Percentage of High Severity Vulnerabilities 


Widget Represe 


@ Regular ns 3 38 K 
+ The “Count Widget” | ae 
can be configured v 407% 
to automatically O cmt Om 
change color, when | _,, Cm ane gt Te cre dey net 0 
specific conditions | 
or thresholds are 


met. 


adai 4 Set Base Color 
Vulnerability v vulnerabilities.severity:[3,4,5] =: 


Compare with another reference query 


Widget Rules 


Set rules and associated widget color. The widget color will changed based on 
Query 2 the condition satisfied for configured rules. 


RUE A When the value of the comparison percentage is 
Vulnerability v vulnerabilities. severity:[1,2,3,4,5] s 
greater than 50% highlight in 


v When clicked navigate to the targeted vulnerabilities search (grouped) 
K 
u 
= 


Comparison Label ++ Add another rule 


All Vulnerabilities (i.e., kli severities) 


This set of epresent 


A superset (contains all the assets from initial query) 


Enable Trending in Widgets 


2021 
539 ; 
<— Edit Widget (VM) 
139.56% 
showing last 91 days {o> 
Query 1 
Vulnerability wv | X vulnerabilities.status:REOPENED 
e 
, 0 
Compare with another reference query 7/13 Today 


Query 2 


Vulnerability w | X vulnerabilities.status:[NEW,ACTIVE, REOPENED] 


Additional Options 
Enable Trending 


This widget will store its results each day for up to 90 days. The results will be plotted on 
a graph so that the data may be analyzed to identify trends. 


Visualize changes 
or swings in 
momentum or 
progress. 


When enabled, 
widgets can store 
trend data for up to 
90 days. 


Trend lines plotted 
on a graph are 
added to the widget. 
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Dashboard Tags 


Edit Dashboard « Add one or more Asset 
Tags through the 
Dashboard Editor. 


User Edit: Bob Slydell (quays2bs38) 


Turn help tips: On | Off 


| Edit Mode Edit role(s) and scope 


_ | e The “Default Dashboard 
User Details [C] Allow user full permissions and scope (The user will have full access to everything) a 
Profile Se Each role grants you a set of permissions that will apply to the objects you have access to. Access Tag IS created by 
rofile Settings 

ECTS une: 


Action Log 


Assigned roles Unassigned roles 
AUDITOR ADMINISTRATOR 
Account Activity CAAPI Access CLOUDVIEW User 


| Default Dashboard Access Tag 


CAMANAGER CONTACT 
CAUI Access CSAM Manager 


CM User CSAM User 


Edit Scope e Share dashboards with 
[C] Allow user view access to all objects (Other permissions are granted by the user's roles) ot h e r Q u a | ys u S e rs by 


Define what assets the user can access by tags. 


Global Scope Select | Create | Remove All assig n i ng “dash board” 
ee fam tag(s) to their accounts. 


[C] Exclude Agent assets from IP Range Tags 
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Session Break 


30 min. 
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Threat Detection & Prioritization 


VMDR Threat Feed 


DASHBOARD 


Prioritization GOTIO Threat Feed 


VULNERABILITIES 


Search for threats by 
category, content, or 


PRIORITIZATION 


publish date. 


KNOWLEDGEBASE 


contents:RDP 


SY Impacted Assets 


HIGH RATED FEED 429 


W High 
Microsoft Windows security update for October 2021... 


2 days ago 07:00pm yy = 


Live Threat Intelligence Feed Microsoft October 2021 patch Tuesday has 
arrived with the latest updates! In this month's security update , Microsoft 
has fixed a total of 74 flaws including four zero-day vulnerabilities. Out o. 


6 


@ High 


Apple releases emergency update to address the arbitrar... 


3 days ago 07:00pm fy = 


Live Threat Intelligence Feed On Monday, Apple released an iPhone 
security update to fix a major vulnerability that is being exploited in the 
wild. With the latest patch, the corporation has now resolved a total of 1 


0 


Click to view impacted assets 
within your subscription 


a Low 
Backdoor Account in Zyxel Products (CVE-2020-29583) 


January 3,2021 37 = 


Live Threat Intelligence Feed On December 23rd, 2020, Zyxel published an 
advisory for a hardcoded credential vulnerability. More than 100,000 Zyxel 
firewalls, access point controllers and VPN gateways are prone to this 


0 


ber 27,2020 Sy = 


ution via... 
Ise issued a security 


severity in Pulse 
E-2020-8260 was. 


0 


# FAVORITES 5 


@ High 
Microsoft Windows 


Live Threat Intelligence Fe 
zero-day remote code exe! 
component of the Internet] 


Live Threat Intelligence Fe 
Infrastructure Security Ag 
Security Centre (ACSC), th 


e Search for threats by content, category or publish date and click to view impacted assets. 
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Threat Feed Sources 


Exploit Sources 


Source Type 


Core Security 
Exploit-DB 
Metasploit 


Contagio Dump 


Immunity 

- Agora 

- Dsquare 

- Enable Security 

- White Phosporus 


Google Project Zero 


Data Type 


PoC Exploits mapped to CVEs 
PoC Exploits mapped to CVEs 


PoC Exploits mapped to CVEs 


Exploit Kits mapped to CVEs 


PoC Exploits mapped to CVEs 


Zero-Days mapped to CVEs 


Malware Sources 


Source Type Data Type 


Reversing Labs CVEs associated with 
malware 


Trend Micro Malware names 
associated with CVEs 


McAfee Ransomware mapped to 
CVEs 


e The Qualys Threat and Malware 
research team leverages exploit and 
malware data from multiple sources. 
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VMDR Prioritization Report 


Prioritize 
vulnerabilities by: 

e Asset Context 

e Vulnerability Age 
e Threat Intelligence 
e Attack Surface 
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Lab 8: VMDR Prioritization Report 


Please consult pages 29 to 35 in the lab tutorial 


supplement for details. 


PLAY 7 Tutorial begins on page 30. 5 min. 
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Asset Tags Add Context 


| Database Server | SJC | Internet Facing. | EOL/EOS 
| Cloud Agent | VMDR Lab | Web Server | Security Tools 
| Malware Domain... | File Transfer | Business Units | Compiler 


e Design and build Asset Tags that help to distinguish the “context” of 
your assets. 


e Leverage tags that use the “Asset Inventory” rule engine, along with 
1) hardware, 2) software, and 3) OS categories. 
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Priority Options 


Detection Vulnerability 


Real-Time Threat Indicators (RTI) © 


Attack Surface ©) 


POTENTIAL IMPACT 


High Data Loss (51) 


75 


High Lateral Movemen 


50 Running Kernel 


Denial Of Service (39) Patch Not Available ( 


Vulnerabilities 


Unauthenticated Exploitation (0) Remote cd Running Service 


ACTIVE THREATS Not Mitigated by Configuration 


Active Attacks (8) 


Malware (0) || ZeroD4 Remotely Discoverable Only 


Predicted High Risk (29) Exploit Kit (0) 


Internet Facing Only 


e Prioritize discovered vulnerabilities by Age, RTIs, and Attack Surface. 
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e Detection Age - reflects the number of days since you first detected the 
vulnerability (e.g., by Qualys scanner or Cloud Agent). 
e Vulnerability Age - (i.e., real age) reflects the number days since Qualys 
published the vulnerability to our KnowledgeBase. 
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Real-Time Threat Indicators (RTI) 


Real-Time Threat Indicators (RTI) © Match Any Match All 


POTENTIAL IMPACT 


High Data Loss (1.75K) High Lateral Movement (1.69K) Wormable (24) Denial Of Service (1.81K) 


Patch Not Available (235) Privilege Escalation (518) Unauthenticated Exploitation (41) 


Remote Code Execution (1.57K) 


ACTIVE THREATS 


Active Attacks (798) Malware (738) Zero Day (91) Exploit Kit (112) Public Exploit (1.04K) 


Predicted High Risk (1.16K) Easy Exploit (1.64K) Ransomware (34) Solorigate Sunburst (9) 


e Provided by VMDR Threat Feed. 
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Attack Surface 


Attack Surface ©) 


Running Kernel 

Running Service 

Not Mitigated by Configuration 
Remotely Discoverable Only 


Internet Facing Only 


e Continue to define asset context with “Attack Surface” options. 
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Deploy Priority Patches 


Prioritize Now 


< VMDR Prioritization 


Prioritized Assets ( Prioritized Vulnerabilities ( 


100% Instances 23.18% 


of total of total 


of 13 of 3.41K 


Vulnerabilities Patches Assets 


Vulnerability v Q 


( Export to Dashboard 


Available Patches © 


Unique 


Toggle between Vulnerabilities, 


Group By: Vulnerability Y Show Only Patchable 1-50 of 446 
Patches, or Assets. 
CVE TITLE QD TOTAL HOSTS 
— ii Microsoft Windows Secu) Turn on this switch to display 91668 5 
patchable vulnerabilities only. 
T en Microsoft Windows Securit) 91683 5 
CVE-2020-17087 Microsoft Windows Kernel Privilege Escalation Vulnerability 91690 5 
ER icrosoft Windows Security Updatg{or November 5 


Patchable assets have Cloud Agent installed and Patch Management activated. 


Save &Download ) 


Details 
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Windows & Linux Patches 


Available Patches (|) Details 


1. Available patches provided for 
Windows hosts. 

2. Available patches provide for 
Linux hosts. 
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Zero-Touch Patch Job 


Available Patches (i) Details 


Zero-Touch Patch Job ® = 


Windows Patches 82 
View Missing Windows Patches 


Linux Patches 15 © 


View Missing Linux Patches 


1-5U of 97 Co 40} 


Select the “Zero-Touch Patch 
Job” option from the VMDR 
Prioritization Report. 


Patches are not selected 
individually, but instead are 
targeted using a query. 


Schedule patch jobs to recur 
daily, weekly, or monthly. 
Specific patching use-cases 
are ideal for "Zero- Touch” 
patching. 
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Zero- Touch Patching 


Create: Windows Deployment Job 


STEPS 4/9 
Select Patches 


Choose the patches you want to install for the selected assets or create a query to automate the job. 


Basic Information 


Select Assets 


Select Pre-actions Manual Patch Selection ® Automated Patch Selection 
Select manually from the available list of patches. Define QQL to automatically identify patches to remediate current and future vulnerabilities every time 

Select Patches the job runs. 

se Vulnerability X (vulnerabilities.vulnerability: (threatIntel.malware:True or threatIntel.activeAttacks: LA © 
Pi 
6 Schedule | 
Note: For optimum performarfce/only missing and non-superseded patches that match the QQL criteria will be added to the job. 

7 Options | | 


~ + The query is generated from the options 
Patches that meet the query | (Age, RTIs, and Attack Surface) selected in 


condition are added to the the Prioritization Report 
deployment job, automatically. ` 


ve Corporate Presentation © Qualys. 


Export to Dashboard 


VMDR + DASHBOARD VULNERABILITIES PRIORITIZATION SCANS REPORTS REMEDIATION ASSETS KNOV 
VMDR Sample v 


D Last 30 Days v © à à 
Export and monitor “Prioritization 


PATCHES BY STATUS WORMABLE VULNERABILITIES Report” as a Dashboard Widget. 


Prioritized Assets Prioritized Vulnerabilities Available Patches 


Instances Unique 


12 185 am 114 3 


of 15 of 671 


Failed SuccessAlread. 


ASSETS MISSING PATCHES BY PLATFORM MISSING PATCHES BY VENDORS 


E Ø Microsoft..8 N ® Microsoft 1376 
© Microsoft...6 © Apple 5 
® Microsoft..6 Ø SunMicr.. 5 


B Microsoft...4 B Adobe 4 
® Microsoft..3 ® Oracle 3 


Results will be continuously updated within the Dashboard Widget. 
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Labs 9 & 10: Prioritization Report Use-Cases 


Please consult page 36 in the lab tutorial supplement for 


details. 


PLAY 7 Tutorials begins on page 36. 10 mins 


© Qualys. 


Patch Management 


Qualys, Inc. Corporate Presentation 


Patch Management Features & Benefits 


= Automatically correlates discovered vulnerabilities with their required 
patches. 


= Leverage existing Qualys Agents to deploy and uninstall patches. 


= Covers OS and Application patches, including patches from third- 
party software vendors (e.g., Adobe, Java, Google, Mozilla, 
Microsoft, etc...) 


= Provides patching just about anywhere an Internet connection is 
available (e.g., airports, coffee shops, remote offices, etc...). 


= Focus on missing patches that have not been superseded. 


= Build patch jobs that target specific vulnerabilities, severity levels, 
and known threats. 
© Qualys. 


Patch Sources 


OS and Application Patches come from: 


= Vendor Global CDNs (e.g., Oracle, Adobe, Microsoft, Apache, Google, etc...) 


e Qualys uses both digital signatures and hash values to validate downloaded patches, which 
are validated again, via Qualys Malware Insights. 


= Local repository (i.e., Qualys Gateway Server) 


e Patch downloads requested by one agent, are cached on QGS and made available “locally” 
for other agents that need the same patch. 


© Qualys. 
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Qualys PM Workflow 


. Install Cloud Agent on target host. 
. Assign target agent host to a CA Configuration Profile that has PM 


configuration enabled. 


. Activate PM module on target agent host. 

. Assign target agent host to an enabled Assessment Profile. 
. Allocate patching licenses. 

. Create Patch Jobs. 
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Patch Deployment Job 


Qualys, Inc. Corporate Presentation 


Deployment Job Wizard 


STEPS 1/7 


oh Basic Information e Build patch jobs step-by-step. 


e Select assets and patches. 


Select Assets 


e Configure scheduling option or 
run on-demand. 


3 Select Patches 


4 Schedule 


e Configure communication and 
5 Options reboot options. 
6 Job Access e Assign access to a job. 


Confirmation 
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Lab 11 : Patch Deployment 


Please consult pages 37 to 41 in the lab tutorial 


supplement for details. 


10 mins 
PLAY 7 Tutorial begins on page 37 
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License Consumption 


License Consumption 


Patch Management Total Consumption 
Type: FULL i i 9 Of 100 
Expiring in: 3.04K days on Jan 31, 2030 05:59 pm Status: ACTIVE H 


Select assets for patch management 
Select asset tags to include or exclude for patch management. Total Consumption counter shows the number of licenses used 
based on the number of matching assets contained in the included asset tags 


Include Assets Tags Select Tags 


Cloud Agent x 


Add Exclusion Asset Tags 


Exclude Assets Tags 
| Dont Patch > Je Exclude assets you do not want to patch. 


e Use Asset Tags to specify hosts for patching and to exclude others. 
e Only agent host assets will consume a patch license. 


Select Tags 
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Targeted Assets 


Select Assets 


Select the assets you want this job to deploy patches on. 


e Add assets toa 
Include the following assets. Deployment Job by 


Selected Assets (1) Asset Name or 
Asset Tag. 


ASSET NAME Add hosts bv A tN Remove All 
osts sset Name ° 
WS2019-VL50D6A y o Asset Tags are 


automatically 
transferred from 
VMDR Prioritization 
Select Tags Report. 


Add Exclusion Assets 


Include hosts that have Any » of the tags below. 


Add hosts by Asset Tag 


| OS: Windows Server x 
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Asset Tag Tips 


v [os 7500 hosts ge 


> | OS: Linux 


1500 hosts 


Vv | Function 


| Testing & Development 


| Production Operations 


Design Asset Tag 
hierarchies with 
nested structures. 


Selecting a “parent” 
tag as a patching 
target, includes its 
“child” tags 
automatically. 

Use tags to 
distinguish between 


production and 
testing assets. 


© Qualys. 


Targeted Patches 


List: Patch Selector 


© isSuperseded: false ge 
31 All Add to Job (31) 1-31 of 31 


Total Patches 


PATCH TITLE ARCHIT BULLETIN UL 


Cumulative Update f... MSNS20-07-W... 91495 
Published on Jul 20, 2020 97 more. 


SUPERSEDED 


false July 21, 2020-KB45... MSNS20-07-M... 91552 
Published on Jul 20, 2020 14 more. 


APP FAMILY July 14, 2020-KB45... MS20-07-S081.. 91662 CVE-2020-1390 
Windows Published on Jul 14, 2020 2 more. 40 more 


-Net 
Tomcat Security Cumulative... MS20-07-W10-.. 91410 CVE-2020-1390 


Published on Jul 13, 2020 225 more. 67 more. 


Firefox 


vava Servicing stack upd... MS20-07-SSU-... 91653 Critica CVE-2020-1346 


e Build more efficient patch jobs by focusing on patches that have 
not been superseded. 


REGEN © Qualys. 


Select Patches Using QQL 


<— Create: Windows Deployment Job 


STEPS 3/7 
Select Patches 


Choose the patches you want to install for the selected assets or create a query for the job. 


Basic Information 


Select Assets 


Select Patches Select Patches! © Create a Query for Patches 


Schedule 


Patch v | X appFamily:‘Chrome‘ or appFamily:‘Firefox‘ or appFamily: ‘Edge* 


Options 
rformance, only missing and non-superseded patches that match the QQL criteria will be added to the job. 
Job Access — 
Vulnerability 
Query by Patch 
or Vulnerability 


Eule) 


Confirmation 


e The query specifies the targeted patches. 
e Choose between Patch or Vulnerability when constructing a query. 
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“Within Scope” Patch 


Within Scope All 


e “Within Scope” only includes patches needed by your 
targeted host assets. 
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Schedule Deployment 


Schedule Deployment 


Schedule the deployment job to run on demand or in the future. 


Schedule Schedule: Schedule the deployment job to run at a set time. 


START DATE START TIME 


09/01/2027 Ej 12:30am 


TIMEZONE 
By default the system will use the agent timezone. Set timezone 


Patch Window 


You can configure a patch window to run the deployment job onl 


frame. 
Monthly 
@ None Set Duration 


Note: Not setting the patch window will allow the cloud agent to take as much time as it needs to 
complete the job. 


Run jobs "on demand” or schedule them to run at regular frequencies. 
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Patch Window 


Patch Window 
You can configure a patch window to run the deployment job only within a particular time 
frame. 


None ® Set Duration = 


Note: Setting this will restrict the agent to complete the job within the specified patch window (e.g., 
start time + 6 hrs). The job gets timed out outside this window. 


Patch Window 


6 Hours 


e A host will display the “Timed out” status, if the patch installation does not 
start within a specified patch window. 


e Select the “None” option to give agents an unlimited amount of time. 
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Windows Communication Options 


Deployment and Reboot Communication Options 


Define user (recipient) patch deployment communication and reboot warning messages to 
encourage and educate the user about patch installment and the reboot cycle. 


Reboot messages 


Suppress Reboot 
Asset reboot is suppressed and users are not prompted for reboot post patch 
installation. 


Reboot Request 
Show a message to users indicating that a reboot is required. 
(If no user is logged in, the reboot will start immediately after patch deployment) 


Reboot Countdown 
Show countdown message to users after deferment limit is reached. 


e Choose the type of “Deployment and Reboot Communication 
Options” for each Deployment Job. 


Opportunistic Patch Download 


Additional Job Settings 


Enable opportunistic patch download 
The agent attempts to download patches before a scheduled job runs. 


Minimize job progress window 
Allow end-users to minimize message windows. 


e You can “Enable opportunistic patch download,” to allow agents to 
download required patches prior to the start of a scheduled job. 
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Linux Communication Options 


Reboot Communication Options 


Define user (recipient) patch deployment communication and reboot warning messages to encourage and educate the user about patch 
installment and the reboot cycle. 


Reboot messages 


Suppress Reboot 
Asset reboot is suppressed and users are not prompted for reboot post patch installation. 


Reboot Countdown 


Show countdown message to users after deferment limit is reached. 


e Suppress Reboot and Reboot Countdown 


Add to Existing Job? 


< Add Patches: Existing Deployment Jobs 


STATUS JOB NAME 


Scheduled - Recurring 
Created by trann3zd54 on Jul 3... 


Scheduled - Run Once 
Created by trann3zd54 on Jul 3... 


On Demand - Run Now 
Created by trann3zd54 on Jul 3... 


CREATED BY 


trann3zd54 
Jul 30, 2020 


trann3zd54 
Jul 30, 2020 


trann3zd54 
Jul 30, 2020 


SCHEDULE 


Every 30th day of the... 


Once, Aug 30 2020 7.... 


On-demand 


e Patches and assets can be added to any deployment job, before it is enabled 
e Patches and assets can be added to a “recurring” job, both before and after it 


is enabled. 
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Best Practices 


= Use Asset Tags as targets for patch deployment jobs. 


= Deploy patches to test hosts, first (create Asset Tags that 
distinguish between test and production assets). 


= Once test deployments are verified, clone the 
deployment job and include production asset tags 


© Qualys. 


Patch Catalog 


Patches 


Patch Management DASHBOARD PATCHES ASSETS JOBS CONFIGURATION 


De 
© 
K 


Patch Catalog 


Patch v Q Search... 


35.3K Te 1-0 0 


Total Patches 


APP FAMILY Snagit 2019.1.7 © X86  SNAG19-200804 Application 372059 0 0 

Windows 17.8K Published on Aug 03, 2020 QSNAG1917 Zmore 

Office 4.18K 

TETORI 2.93K Snagit 2018.2.6 © xs SNAG18-200804 Application 372059 0 0 

file Viewer aye Published on Aug 03, 2020 QSNAG1826 Zmore 

Eine LES August 4, 2020, updat.. @® X86  MSNS20-08-4484477 Application — 0 0 
samom Published on Aug 03, 2020 KB4484477 

VENDOR August 4, 2020, updat... © x86 MSNS20-08-4484464 Application — 0 0 

Microsoft 27.8K Published on Aug 03, 2020 KB4484464 

lie en Snagit 2019.1.7 © x86  SNAG19-200804 Application 372059 0 0 

Adobe =r Published on Aug 03, 2020 QSNAG1917 Stave 

Google 596 

Opera Software A... 420 Snagit 2019.1.7 © xs6 SNAG19-200804 Application 372059 0 0 

ore ed on Aug 03, 2020 Si 19 2 


e The Patch Catalog contains tens of thousands of OS and application 
patches. 
e Presently, you can add up to 2000 patches to a single job. 
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Lab 12 : Patch Catalog 


Please consult pages 42 to 46 in the lab tutorial 


supplement for details. 


PLAY 7 Tutorial begins on page 42. 10 mins 
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Catalog s Default Display Filters 


i? Filters v 

Patch Status 

e The default filters in the 
stk Patch Catalog, display 
patches that are missing 
and only the latest patches 
Only Latest Patches (Non-superseded) (non-superseded). 


Yes 


Installed 
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Acquire From Vendor 


v D downloadMethod:AcquireFromVendor 


AcquireFromVendor 
e 


Microsoft Power BI De... PBID-200728 
Published on Jul 27, 2020 0B12835894881 


Microsoft Power BI De... PBID-200728 
Published on Jul 27, 2020 0B12835894881 


Microsoft Power BI De... PBID-200723 
Published on Jul 22, 2020 QBI2835894822 


e Patches identified with the “key-shaped” icon, cannot be downloaded by 
Qualys’ Cloud Agent. 
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Prioritized Products 


Qualys, Inc. Corporate Presentation 


Prioritized Products 


e Automate the selection of patches in recuring deployment jobs 
e Patches are selected using QQL 


e Patches meeting the query condition are included in scheduled 
deployment jobs (daily, weekly, monthly) 


e Patch Jobs are initiated from the Patch Catalog (i.e., click the 
“Prioritized Products” button). 


© Qualys. 


Prioritized Products 


Products listed near the top, 
introduce the most 
vulnerabilities into your 
business and enterprise 
architectures. 


® Qualys. Cloud Platform 
<— Prioritized Products 


6 ct s report enables you to view the total number of product vulnerabilities (active and fixed) detected in your 
envi 2 years. 


ronment over the last 2 


Y Filters V $ 


APP FAMILY NAME VULNERABILITIES 


Chrome 9494 


Windows 


Firefox 


Edge 


Java 


Internet Explorer 


Flash 


Office 
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Create Job Using Query 


® Qualys id Platform 
e Select applications from 
i T n |S the “Prioritized Products” 
Ma VULNERABILITIES list and use the “Actions” 
q= i 
Ele 9710 button to “Create Job 
Windows 7498 using Query. | 
Firefox 3608 e A query designed to target 
the selected applications is 
Edge 1856 . 
. constructed automatically 
Java 1260 (using QQL). 
Internet Explorer 718 


© Qualys. 


Create a Query for Patches 


Select Patches 


Choose the patches you want to install for the selected assets or create a query for the job. 


Select Patches © Create a Query for Patches 


Note: For optimum performance, only missing and non-superseded patches that match the QQL criteria will be added to the job 


e The generated query condition(s) will specify the criteria for selecting patches 
each time the job runs (daily, weekly, monthly). 
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Additional VMDR Applications 
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Security Configuration Assessment (SCA) 


Monitor and assess 
assets for 
misconfigurations. 


Leverage Qualys 
Scanners and Agents. 


Provides over 400 CIS 
Benchmark Policies for 
hundreds of OS and 
application technologies. 


Upgrade from SCA to 
PC. 


Create a New Policy 


Policy from Library: Choose from one of the policies in our library. 

Find the policy that best suits your needs. The SCA policies are certified by the CIS for the CIS benchmarks, which provide secure configuration guidelines 
to identify and remediate the security vulnerabilities for a wide range of technologies. The out of the box policies have controls, pre-configured as per the 
recommendations from the CIS. Click on one of the required CIS policies below, and then click Next to import it. 


Updated 
CIS 


Remote 


Technologies 


AIX 6.x 
_] AIX 7.x 


Amazon Linux 2 AMI 

_] Amazon Linux AMI 

_] Apache HTTP Server 2.2.x 
] Apache HTTP Server 2.4.x 


Apache Tomcat 6.x 


] Apache Tomcat 7.x 


| Apache Tomcat 8.x 


Apache Tomcat 9.x 


] Apple Safari 11.x 


Apple Safari 12.x 


Apple Safari 13.x 


Policies (408) 


# 


CIS Benchmark for IBM AIX 6.1, v1.1.0 [Scored, Level 1] 


M Version 8.0 05/17/2020 View Description | View Policy 


CIS Benchmark for IBM AIX 6.1, v1.1.0 [Scored, Level 1 and Level 2] 


e Version 7.0 05/17/2020 View Description | View Policy 


CIS Benchmark for Apache Tomcat 6.0 v1.0.0 [Scored and Not Scored, Level 1] 


Version 3.0 10/29/2019 View Description | View Policy A 


CIS Benchmark for Apache Tomcat 6.0 v1.0.0 [Scored and Not Scored, Level 1 and Level 2] 


M Version 3.0 10/29/2019 View Description | View Policy ~ 


CloudView & Cloud Security Assessment (CSA) 


Leverage Qualys Cloud 


Azure Function App Best Practices Policy 
Connectors. 


Add cloud-based assets AWS Best Practices Policy 
to your asset inventory. 

Collect metadata to GCP Best Practices Policy 
assess both your account 


and assets for GCP Cloud Functions Best Practices Policy 
misconfigurations. 


CSA provides “out-of-box’ CIS Amazon Web Services Foundations Benchmark 
policies for your AWS, 
Azure, and Google 


accounts. 


Azure Best Practices Policy 


Container Security (CS) 


e Assess container applications for 
vulnerabilities and misconfigurations. 


e Deploy Container Sensors right À 
along side other container 
applications. 


Container Sensor Types: 
1. General Sensor 
2. Registry Sensor 
3. CI/CD Pipeline Sensor 
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CertView (CERT) 


Leverage Qualys Scanner Appliances to provide visibility into certificates across 
your network and enterprise architecture (on-premise and cloud-based). 


= Create a baseline inventory of 
existing certificates and monitor for 


Monitored Archived 


new certificates. = [ Acton v | KE 1-90f9 ue mS 
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Continuous Monitoring 
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Software Ticket 


Host Vulnerability Certificate Port / Service 


= Add custom alerts to your vulnerability assessment program for 


immediate response. 
= CM works in tandem with VM/VMDR: 
Deploy Qualys Scanner Appliances and/or activate the VM module for 


deployed Qualys Agents. 
Schedule frequent or continuous vulnerability scans. 


© Qualys. 


VMDR for Mobile Devices 
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= Collect inventory and configuration data from your mobile devices (integration 
with Qualys Global Al). 


= Perform vulnerability and compliance assessments. 


= Perform active device operations, like locking a screen or locating a missing 


device. 
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Following This Course 


VMDR Certification Exam 
https://gm1.geolearning.com/geonext/qualys/scheduledclassdetails4enr 
oll. geo? &id=2251123 7824 


VMDR Course Survey 
https://forms.office.com/r/rsy0Aja6Xz 


VMDR Trial Account 


https: //www.qualys.com/forms/vmdr/ 
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Qualys. 


Thank You 
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